A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Conventional techniques for detecting network attacks use pattern matching. In particular, an intrusion detection system (“IDS”) applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDS may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDS selects the appropriate patterns to apply in order to detect a network attack, which is used herein to include viruses or other malicious activity.
Malicious users implement network attacks at various layers of the Open Systems Interconnection (OSI) reference model. For example, denial of service (DoS) attacks have been implemented historically at layer three (network layer) or layer four (transport layer) of the OSI model, such as SYN flood attacks, where an attacker bombards a network server with synchronization (SYN) packets, which may result in an overflow in the number of open connections for the server. Similar attacks include ACK floods and reset (RST) attacks.
Malicious users have recently developed network attacks at layer seven (application layer) of the OSI model. As one example, DoS attacks at the application layer may continually issue requests that consume a large amount of a web server's resources. For example, layer seven DoS attacks include repetitive issuing of database queries to the server. Other malicious network sessions at the application layer include “click fraud,” where an automated device or script repeatedly selects a particular ad-based link of a web page. Owners of web pages that display ad-based links receive revenue for each instance that the link is selected, thus automating selection of the link may be fraudulent. Another malicious network session at the application layer relates to e-mailing scripts that send spam e-mails to as many recipients as possible.
To implement these attacks, some malicious users write programs (i.e., malicious software agents) that are intended to be executed on one or more other users' computers. Malicious users may write viruses, trojans, worms, or other malicious programs that implement these various attacks and that spread to many different computers. A malicious program may act as a “bot” that executes a script or other automated program to execute a network attack or perform other malicious activity at the application layer. A group of computing devices infected with the same malicious program, referred to as a “bot net,” may coordinate a network attack or malicious action against a common target at the application layer. Conventional IDS devices are not able to detect or react to software agents that implement these application-layer attacks.